Having issues configuring Azure AD OIDC in Apache 2.4 with mod_auth_openidc

[raghunath1986]

• I have an application with workflow as
  Apache2 (with mod_auth_openidc to Azure AD) --> Tomcat --> APEX.

• Oracle APEX application, which will expect HTTP Header Variable "APP_REMOTE_USER" to authorized the user and present the corresponding Home Page (admin/user) .

• Created a custom claim in AzureAD with APP_REMOTE_USER and expecting that to be passed as HTTP Header to Tomcat followed by Oracle APEX application. Apache and Tomcat are running in the same server as Kubernetes Pod and Oracle APEX will run in separate server.

• Configured the below configuration and
  <VirtualHost *:443>
  ServerName myapp.example.com
  ServerName localhost
  ServerAlias localhost
  OIDCProviderMetadataURL https://login.microsoftonline.com//v2.0/.well-known/openid-configuration
  OIDCClientID XXX
  OIDCClientSecret XXX
  OIDCRedirectURI https:///ords/apex_authentication.callback
  OIDCCryptoPassphrase xxxxx
  OIDCScope "openid profile user.read email"
  ProxyPass /ords http://localhost:8080/ords
  ProxyPassReverse /ords http://localhost:8080/ords

    <Location /ords>
            RewriteEngine On
            AuthType openid-connect
            AuthName "ords-app"
            Require valid-user
    </Location>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
  

• When I hit the url https:///ords/f?p=100 , upon successful authentication of AZAD , it's giving me back the error as
  Browser Error:
  =============
  Invalid Request
  Description:

The OpenID Connect callback URL received an invalid request

Apache Error:

Mon Nov 08 05:55:27.260915 2021] [auth_openidc:debug] [pid 46:tid 139882079209216] src/util.c(1029): [client 10.42.3.0:40356] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "44925f6b-4b53-42de-9a81-d0c9d62e1e13"
[Mon Nov 08 05:55:27.260921 2021] [auth_openidc:debug] [pid 46:tid 139882079209216] src/cache/common.c(569): [client 10.42.3.0:40356] oidc_cache_get: enter: 44925f6b-4b53-42de-9a81-d0c9d62e1e13 (section=s, decrypt=0, type=shm)
[Mon Nov 08 05:55:27.260940 2021] [auth_openidc:debug] [pid 46:tid 139882079209216] src/cache/common.c(603): [client 10.42.3.0:40356] oidc_cache_get: cache hit: return 5767 bytes from shm cache backend for key 44925f6b-4b53-42de-9a81-d0c9d62e1e13
[Mon Nov 08 05:55:27.261138 2021] [auth_openidc:debug] [pid 46:tid 139882079209216] src/util.c(1181): [client 10.42.3.0:40356] oidc_util_request_matches_url: comparing "/ords/apex_authentication.callback"=="/ords/apex_authentication.callback"
[Mon Nov 08 05:55:27.261162 2021] [auth_openidc:error] [pid 46:tid 139882079209216] [client 10.42.3.0:40356] oidc_handle_redirect_uri_request: The OpenID Connect callback URL received an invalid request: p_session_id=7330291222329&p_app_id=103&p_ajax_identifier=tYu4mllhmSusf3BTNzGUMJJYig974RRH9V_-PoBX9Bk&p_page_id=2; returning HTTP_INTERNAL_SERVER_ERROR

[zandbelt]

I think it may help to separate out the callback URI so it is not inside the ProxyPass area

[raghunath1986]

@zandbelt : Thanks for your quick response ! Sorry I am implementing OIDC and Apache for the first time. Would you please elaborate your statement.